SUSE-SU-2023:2096-2: important: Security update for netty, netty-tcnative
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Wed Jun 21 12:31:48 UTC 2023
# Security update for netty, netty-tcnative
Announcement ID: SUSE-SU-2023:2096-2
Rating: important
References:
* #1199338
* #1206360
* #1206379
Cross-References:
* CVE-2022-24823
* CVE-2022-41881
* CVE-2022-41915
CVSS scores:
* CVE-2022-24823 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2022-24823 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
* CVE-2022-41881 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2022-41881 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2022-41915 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
* CVE-2022-41915 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Affected Products:
* Development Tools Module 15-SP5
* openSUSE Leap 15.5
* SUSE Linux Enterprise Desktop 15 SP5
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise Real Time 15 SP5
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server for SAP Applications 15 SP5
* SUSE Package Hub 15 15-SP5
An update that solves three vulnerabilities and contains one feature can now be
installed.
## Description:
This update for netty, netty-tcnative fixes the following issues:
netty:
* Security fixes included in this version update from 4.1.75 to 4.1.90:
* CVE-2022-24823: Local Information Disclosure Vulnerability in Netty on Unix-
Like systems due temporary files for Java 6 and lower in io.netty:netty-
codec-http (bsc#1199338)
* CVE-2022-41881: HAProxyMessageDecoder Stack Exhaustion DoS (bsc#1206360)
* CVE-2022-41915: HTTP Response splitting from assigning header value iterator
(bsc#1206379)
* Other non-security bug fixes included in this version update from 4.1.75 to
4.1.90:
* Build with Java 11 on ix86 architecture in order to avoid build failures
* Fix `HttpHeaders.names` for non-String headers
* Fix `FlowControlHandler` behaviour to pass read events when auto-reading is
turned off
* Fix brotli compression
* Fix a bug in FlowControlHandler that broke auto-read
* Fix a potential memory leak bug has been in the pooled allocator
* Fix a scalability issue caused by instanceof and check-cast checks that lead
to false-sharing on the `Klass::secondary_super_cache` field in the JVM
* Fix a bug in our `PEMParser` when PEM files have multiple objects, and
`BouncyCastle` is on the classpath
* Fix several `NullPointerException` bugs
* Fix a regression `SslContext` private key loading
* Fix a bug in `SslContext` private key reading fall-back path
* Fix a buffer leak regression in `HttpClientCodec`
* Fix a bug where some `HttpMessage` implementations, that also implement
`HttpContent`, were not handled correctly
* Fix epoll bug when receiving zero-sized datagrams
* Fix a bug in `SslHandler` so `handlerRemoved` works properly even if
`handlerAdded` throws an exception
* Fix an issue that allowed the multicast methods on `EpollDatagramChannel` to
be called outside of an event-loop thread
* Fix a bug where an OPT record was added to DNS queries that already had such
a record
* Fix a bug that caused an error when files uploaded with HTTP POST contained
a backslash in their name
* Fix an issue in the `BlockHound` integration that could occasionally cause
NetUtil to be reported as performing blocking operation. A similar
`BlockHound` issue was fixed for the `JdkSslContext`
* Fix a bug that prevented preface or settings frames from being flushed, when
an HTTP2 connection was established with prior-knowledge
* Fix a bug where Netty fails to load a shaded native library
* Fix and relax overly strict HTTP/2 header validation check that was
rejecting requests from Chrome and Firefox
* Fix OpenSSL and BoringSSL implementations to respect the
`jdk.tls.client.protocols` and `jdk.tls.server.protocols` system properties,
making them react to these in the same way the JDK SSL provider does
* Fix inconsitencies in how `epoll`, `kqueue`, and `NIO` handle RDHUP
* For a more detailed list of changes please consult the official release
notes:
* Changes from 4.1.90: https://netty.io/news/2023/03/14/4-1-90-Final.html
* Changes from 4.1.89: https://netty.io/news/2023/02/13/4-1-89-Final.html
* Changes from 4.1.88: https://netty.io/news/2023/02/12/4-1-88-Final.html
* Changes from 4.1.87: https://netty.io/news/2023/01/12/4-1-87-Final.html
* Changes from 4.1.86: https://netty.io/news/2022/12/12/4-1-86-Final.html
* Changes from 4.1.85: https://netty.io/news/2022/11/09/4-1-85-Final.html
* Changes from 4.1.84: https://netty.io/news/2022/10/11/4-1-84-Final.html
* Changes from 4.1.82: https://netty.io/news/2022/09/13/4-1-82-Final.html
* Changes from 4.1.81: https://netty.io/news/2022/09/08/4-1-81-Final.html
* Changes from 4.1.80: https://netty.io/news/2022/08/26/4-1-80-Final.html
* Changes from 4.1.79: https://netty.io/news/2022/07/11/4-1-79-Final.html
* Changes from 4.1.78: https://netty.io/news/2022/06/14/4-1-78-Final.html
* Changes from 4.1.77: https://netty.io/news/2022/05/06/2-1-77-Final.html
* Changes from 4.1.76: https://netty.io/news/2022/04/12/4-1-76-Final.html
netty-tcnative:
* New artifact named `netty-tcnative-classes`, provided by this update is
required by netty 4.1.90 which contains important security updates
* No formal changelog present. This artifact is closely bound to the netty
releases
## Patch Instructions:
To install this SUSE Important update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* openSUSE Leap 15.5
zypper in -t patch openSUSE-SLE-15.5-2023-2096=1
* Development Tools Module 15-SP5
zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP5-2023-2096=1
* SUSE Package Hub 15 15-SP5
zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2023-2096=1
## Package List:
* openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
* netty-tcnative-2.0.59-150200.3.10.1
* netty-4.1.90-150200.4.14.1
* openSUSE Leap 15.5 (noarch)
* netty-tcnative-javadoc-2.0.59-150200.3.10.1
* netty-javadoc-4.1.90-150200.4.14.1
* netty-poms-4.1.90-150200.4.14.1
* Development Tools Module 15-SP5 (aarch64 ppc64le s390x x86_64)
* netty-tcnative-2.0.59-150200.3.10.1
* SUSE Package Hub 15 15-SP5 (aarch64 ppc64le s390x x86_64)
* netty-4.1.90-150200.4.14.1
* SUSE Package Hub 15 15-SP5 (noarch)
* netty-javadoc-4.1.90-150200.4.14.1
* netty-poms-4.1.90-150200.4.14.1
## References:
* https://www.suse.com/security/cve/CVE-2022-24823.html
* https://www.suse.com/security/cve/CVE-2022-41881.html
* https://www.suse.com/security/cve/CVE-2022-41915.html
* https://bugzilla.suse.com/show_bug.cgi?id=1199338
* https://bugzilla.suse.com/show_bug.cgi?id=1206360
* https://bugzilla.suse.com/show_bug.cgi?id=1206379
* https://jira.suse.com/browse/SLE-23217
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20230621/9460da2a/attachment.htm>
More information about the sle-security-updates
mailing list